Tasks for initial switch configuration

Sometimes we have to get back to basics and since switches are usually plug-and-play, you're probably overlooking a few things that can make the switch more manageable and secure.

This Content Component encountered an error

In most instances, you can take any brand of switch out of the box and turn it on and without any configuration whatsoever, have it provide the connectivity you need much like an unmanaged hub would. In this tip, we'll look at when you need to configure something extra.

First things first; there's a minimum level of security that every network device should meet. That would include:

  • setting the password. (You won't like it if an intruder sets it for you.)
  • setting community strings or turning off SNMP if you don't intend to use it (especially if they're set to "public" and "private")
  • turning off all the methods of administration you won't use, especially the Web interface
  • configuring logins or an authentication server (RADIUS or TACACS+) if you have one
  • configuring a syslog server to store log entries remotely

The rest of our configuration list depends on what you intend to do with the switch and to some extent, how complex your environment is.

  • If you have more than one switch in a broadcast domain, you'll want to configure Spanning Tree Protocol. This will probably be turned on and work by default, but it might select a root bridge that will give you suboptimal convergence. Set the bridge priority on the switch you want to be root, and leave the rest default.
  • If you have more than one IP subnet on a switch, you may need to configure VLANs or trunk ports. Don't forget to put user ports into the appropriate VLANs after you create them. Note that if you are using a Cisco switch, even if you only have one subnet, I strongly recommend that you do NOT use the default VLAN 1 as this behaves somewhat differently than other VLANs. Create another VLAN and put all the ports into it.
  • If you plan to connect IP phones, then you may need to configure "voice VLANs" and also enable Power over Ethernet. PoE may be disabled by default.

There are of course, dozens of other things you can do to make your network better, like configuring labels on each port to help you track what device is plugged into them, or manually setting the speed and duplex on some ports, or turning off unneeded protocols like PAgP. But this list should be sufficient to get most networks up and running with a reasonable effort.


Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.


 

This was first published in May 2005

Dig deeper on Network Hardware

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close